arXiv: 1506.02711vl [math.CO] 8 Jun 2015 


Combinatorial Characterizations of Algebraic Manipulation 
Detection Codes Involving Generalized Difference Families 


Maura B. Paterson^ and Douglas R. Stinson*^ 

^Department of Economics, Mathematics and Statistics, Birkbeck, University of London, 

Malet Street, London WCIE 7HX, UK 

^David R. Cheriton School of Computer Science, University of Waterloo, Waterloo, 

Ontario, N2L 3G1, Canada 

June 10, 2015 


Abstract 

This paper provides a mathematical analysis of optimal algebraic manipulation detection 
(AMD) codes. We prove several lower bounds on the success probability of an adversary and 
we then give some combinatorial characterizations of AMD codes that meet the bounds with 
equality. These characterizations involve various types of generalized difference families. Con¬ 
structing these difference families is an interesting problem in its own right. 


1 Introduction 

Algebraic manipulation detection (AMD) codes were defined in 2008 by Cramer et al. [3l 0] as a 
generalization and abstraction of techniques that were previously used in the study of robust secret 
sharing schemes AMD codes are studied further in PEIE]. Several interesting and 

useful applications of these structures are described in these papers, including applications to robust 
fuzzy extractors, secure multiparty computation, non-malleable codes, etc. Various construction 
methods for AMD codes are also presented in these papers. 

We begin by providing some motivating examples as well as some historical context from the 
point of view of authentication codes. AMD codes can be considered as a variation of the classical 
unconditionally secure authentication codes |15] . which we will refer to as A-codes for short. An 
A-code has the form (5, T, /C, £) where 5 is a set of plaintext sources, T is a set of tags, /C is a set of 
keys and £” is a set of encoding functions. For each K ^ K,, there is a (possibly randomized) encoding 
function Ek '■ S ^ T. A secret key AT € /C is chosen randomly. Later a source s G 5 is selected 
and the tag t = Ek{s) is completed. The tag t is authenticated by verifying that t = Ek{s); this 
can be done only with knowledge of the key K. Having seen a valid pair {s,t), an active adversary 
may create a bogus pair {s',t') (where s' ^ s), hoping that it will be accepted as authentic (this 
process is called substitution). The adversary is trying to maximize the success probability of such 
an attack. One main objective is to design A-codes that will minimize the success probability of 
the adversary. 

*D. Stinson’s research is supported by NSERC discovery grant 203114-11. 
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Example 1.1. Letp be prime and define S = T = Zp. Define fC = ZpXZp. For every K = (c, d) G 
JC, define the function Ek by the rule s cs + d modp for all s G Zp. (That is, the encoding 
functions consist of all linear functions from Zp to Zp.j Any observed source-tag pair {s,t) is valid 
under exactly p of the p^ keys. Then, any substitution {s',t') (s' s) is valid under exactly 1 of 
the p “possible” keys. Therefore, the adversary’s success probability is 1/p. 

There are two types of AMD codes. The first type is a weak AMD code. Here there is no key, 
so there is only one encoding function E. Further, the tag is an element of a finite additive abelian 
group, say Q. The adversary is required to commit to a specific substitution of the form g g + A, 
where A G ^ \ {0} is fixed. Later, a source s G 5 is chosen randomly and encoded to <7 = E{s). 
Then g is replaced hy g' = g A. The adversary wins if g' = e{s') for some s 7 ^ s'. Again, the 
objective in designing such a code is to minimize the adversary’s success probability. 

Example 1.2. Let S = {1,2,3,4, 5} and let Q = Z 21 . The encoding function E is defined by 
E{1) = 3, E{2) = 6 , E{3) = 12, E'(4) = 7 and E{5) = 14. It turns out that the adversary’s success 
probability is 1/5, independent of his choice 0 /A / 0. This follows because {3,6,12,7,14} is a 
difference set in Z 21 (for the definition of difference set, see Section{^. 

The second type of AMD code is a strong AMD code. It is basically the same as a weak AMD 
code, except that the adversary is given the source (but not the encoded version of the source) 
before choosing A. 

Example 1.3. This example is based on Example |^.7[ Let S = {1,2,3,4} and let Q = Z 7 . 
The encoding function E is defined by Efl) = 1, E{2) = 2, E{3) = 4 and E{4) G_r {0,3,5,6} 
(the notation denotes that the given encoding is to be chosen uniformly at random from 

the given set). If the source s = 1,2 or 3, then the adversary succeeds with probability 1 by 
choosing A such that E{s) + A = E{s') for some s' 7 ^ s. However, if the source s = 4, it can 
be verified that the adversary’s success probability is 1/2. To see this, observe for any A 7 ^ 0 that 
E{4) + A G {E{1), E(2), E{3)} for precisely two of the four possible values of E{4). 

1.1 Notation 

In this section, we present relevant notation that we will use in the rest of the paper. 

• There is a set S of plaintext messages which is termed the source space, where |5| = m. There 
will be a probability distribution on S, which is assumed to be public. We will normally 
assume Pr[s] = 1/m for all s G iS, so we have equiprobable sources. 

• The encoded message space (or more simply, message space) is a set G, where \Q\ = n (note: 
Q will usually be an additive abelian group with identity 0 ). 

• For every source s G <S, let A(s) C Q denote the set of valid encodings of s. We require that 
A(s) n A(s') = 0 if s 7 ^ s'; this ensures that any message can be correctly decoded. Denote 
A = {A(s) : s G <S}. 

• Let Os = |A(s)| for any s ^ S. Dehne 


^0 = U 

sg<S 


2 


and denote 


a — ^ ^ cis • 

If Us is constant, say k, then the code is k-uniform. In this case, a = km. 

• : <S ^ G is a (possibly randomized) encoding function that maps a source s G 5 to some 

g G ^(s) according to a certain probability distribution defined on ^(s); 


Pr[E{s) = g]= Pr[ 5 r | s]. 


The encoding function E, as well as the probability distributions Pr[£'(s) = ^f], are assumed 
to be public. Observe that, for equiprobable sources, the induced probability distribution on 
Gq is given by 

Prb] = ^ ^ Pr[^;(s) = g] 

for all s G <S and all g G ^(s). 

• Formally, we can define the AMD code as a 4-tuple {S,G,A,E). 

• If Pr[£'(s) = g] = l/os for every .s G S and every g G A(s), then the code has equiprobable 
encoding. Such a code can be denoted as a 3-tuple {S,G,A). In a code with equiprobable 
sources and equiprobable encoding, we have 


Pr[g] 


1 


Ogm 


for all s G 5 and all g G A(s). 


• A fc-uniform code that has equiprobable sources and equiprobable encoding is said to be 
k-regular. In a /c-regular code, we have 


for all g G Go. 


Prb] 


1 

km 


• A 1-regular code is said to be deterministic because the source uniquely determines the 
encoding. In a deterministic code with equiprobable sources, we have 

Pr[5r] = — 
m 


for all g G Go- 

1.2 Formal Definitions of Weak and Strong AMD Codes 

We formally define the notion of weak security for an AMD code (5, G, A, E) by considering a 
certain game incorporating an adversary. The adversary has complete information about the AMD 
code that is being used. Based on this information, the adversary will adopt a strategy a which he 
will use to choose a value A in the game described below. A strategy is allowed to be randomized. 


3 



Definition 1.1 (Weak AMD code). 

Suppose {S, Q, A, E) is an AMD code. 

1. The value A £ Q \ {0} is chosen according to the adversary’s strategy. 

2 . The source s £ S is chosen uniformly at random by the encoder (i.e., we have equiprobable 
sources). 

3 . The source is encoded into g £ A(s) using the encoding function E. 

4 . The adversary wins if and only if g + A £ A(s') for some s' ^ s. 

The success probability of the strategy a, denoted is the probability that the adversary wins this 
game using the specific strategy a. 

We will say that the code {S,G,A,E) is a weak {m,n,i)-AMD code where e denotes the 
success probability of the adversary’s optimal strategy. That is, 

€ = max{eo-}. 

a 

We now turn to the stronger security model. The following concept of strong security is also 
defined as a game involving an adversary. In this model, the strategy a used to choose A will 
depend on the source s. 

Definition 1.2 (Strong AMD code). 

1. The source s £ S is given to the adversary (here there is no probability distribution defined 
on S). 

2 . The value A £ Q \ {0} is chosen according to the adversary’s strategy. 

3 . The source is encoded into g £ A(s) using the encoding function E. 

4. The adversary wins if and only if g + A £ A(s') for some s' ^ s. 

For a given source s the success probability of the strategy a, denoted e^^s, is the probability that 
the adversary wins this game using the specific strategy a. 

We will say that the code {S,G,A,E) is a strong {m,n,e)-AMD code where e denotes the 
maximum success probability of any strategy over all sources s. That is, 

€ = max{eo-,s}- 

As we mentioned earlier, the difference between a weak and strong AMD code is that, in a weak 
code, the adversary chooses A before he sees s, while in a strong code, the adversary is given s and 
then he chooses A. 
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1.3 Our Contributions 

In this paper, we study optimal AMD codes, i.e., codes in which the adversary’s success probability 
is as small as possible. We consider bounds for both weak and strong AMD codes and investigate 
when these bounds can be achieved. This involves several generalizations of difference families, 
some of which have apparently not been studied previously. 

Connections between AMD codes and difference families have been observed previously, e.g., in 
[5]. The paper [5] and other prior work is mainly concerned with codes that are “close to” optimal 
and/or the construction of classes of codes that have asymptotically optimal behaviour. This is of 
course desirable from the point of view of applications. In contrast, our focus is on mathematical 
characterizations of codes where the relevant bounds are exactly met with equality; this is the sense 
in which we are using the term “optimal”. 

The rest of this paper is organized as follows. In Section [2l we define all the generalizations 
of difference families that we will be using in the rest of the paper. We give some examples and 
constructions as well as prove some nonexistence results. Section [3] studies weak AMD codes. 
Bounds are considered in Section 13.11 where we introduce the notion of R-optimal and G-optimal 
AMD codes; these bound arise in the analysis of two different adversarial strategies. Conditions 
under which these bounds can be met with equality are presented in Section [3.21 Section 0] provides 
an analogous treatment of strong AMD codes. Finally, we conclude the paper in Section [3 

2 Difference Families and Generalizations 

In this section, we describe several variations of difference sets and difference families. These 
concepts will be essential for constructions and combinatorial characterizations of optimal (strong 
and weak) AMD codes. Some of the definitions we give are new, and we prove some interesting 
connections between various types of difference families that may be of independent interest. 

Let G be an abelian group. For any two disjoint sets Ai, A 2 C define 

D(Ai, A 2 ) = {x - y : X G Ai,y G A 2 }. 

Note that T>{Ai, A 2 ) is a multiset. Also, for any Ai C define 

V{Ai) = {x - y ■. x,y G Ai,x ^ y}. 


T){Ai) is also a multiset. 

Our first two definitions—difference sets and difference families—are standard. There is a large 
literature on these combinatorial structures. 

Definition 2.1 (Difference Set). Let Q he an additive abelian group of order n. An (n, m, A)- 
difference set (or {n,m, X)-DS) is a set Ai C Q, such that the following multiset equation holds: 

v{A,) = x{g\{o}). 

If an (n, m, A)-DS exists, then A(n — I) = m{m — I). 

Remark: We can consider any set of size I to be a (trivial) difference set with A = 0. 
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Definition 2.2 (Difference Family). Let Q be an additive abelian group of order n. An (n,m,k, X)- 
difference family (or {n,m, k, \)-DF) is a set of m k-subsets of Q, say Ai^... ^ Am, such that 
the following multiset equation holds: 


[Jv{A,) = x{g\{o}). 

i 

If an (n, m, k, A)-DF exists, then A(re — 1) = mk{k — 1). Also, an (n, m, A)-DS is an (n, 1, m, A)- 

DF. 

The following definition is from m- 

Definition 2.3 (External difference family). Let Q he an additive abelian group of order n. An 
{n,m,k, X)-external difference family (or {n,m,k, X)-EDF) is a set of m disjoint k-subsets of 
Q, say Ai,... ,Am, such that the following multiset equation holds: 

U P(A„A,) = A(^\{0}). 

If an (n, m, k, A)-EDF exists, then n > mk and 

A(n — 1) = k‘^m{m — 1). (1) 

Also, an (n, m, 1, A)-EDF is the same thing as an {n,m,X) difference set. 

There are several papers giving construction methods for external difference families, e.g., [21 
[71[8l|9llini[IIl[I7]. Here is an example of one infinite class of external difference families, due to 
Tonchev it was later rediscovered in [lOj . 

Theorem 2.1. |T7[ Suppose that q = 2ui -\- 1 is a prime power, where u and i are odd. Then 
there exists a {q,u,£, {q — 2i — l)/4:)-EDF in Fg. 

Proof. Let a € Fg be a primitive element. Let C be the subgroup of Fg* having order u and index 
2£. The £ cosets {0 < i < £ — 1) form the EDF. □ 

Example 2.1. We give an example to illustrate Theorem \2.1{ Let Q = (Zi 9 ,+). Then a = 2 is a 
primitive element and C = {1, 7,11} is the (unique) subgroup of order 3 in Z^g*. A (19, 3,3, 3)-EDF 
is given by the three sets {1,7,11}, {4,9,6} and {16,17,5}. 

We refer to O Table II] for a list of known external difference families. 

Remark: The related but more general concept of a difference system of sets was defined much 
earlier, by Levenshtein, in m- This is similar to the definition of an external difference family, 
except that every difference x — y {x € Ai,y G Aj,i j) is required to occur at least X times. 
However, we note that a perfect, regular difference system of sets is equivalent to an external 
difference family. 

As we will discuss later, for the applications to AMD codes we will be considering, it is sufficient 
that every difference occurs at most X times. This motivates the following definition. 
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Definition 2.4 (Bounded external difference family). Let G be an additive abelian group of order n. 
A (n, m, k, X)-bounded external difference family (or (n, m, k, X)-BEDF) is a set ofm disjoint 
k-subsets of G, say Ai,..., Am, such that the following condition holds for every g € G \ { 0 }; 

\{x - y : X - y = g,x e Ai,y e Aj,i j}\ < A. 

It is obvious that an (n, m, k, A)-EDF is an (n, m, k, A)-BEDF. 

Definition 2.5 (Strong external difference family). Let G be an additive abelian group of order 
n. An {n,m, k; X)-strong external difference family (or {n,m, k; X)-SEDF) is a set ofm 

disjoint k-subsets of G, say Ai,... ,Am, such that the following multiset equation holds for every i, 

1 < i < m: 

U V{A,,A,) = X{G\m. (2) 

lid^d 

It is easy to see that a (n, m, fc, A)-SEDF is an (n, m, fc, mA)-EDF. Therefore, from ([1]), if an 
(n, m, k, A)-SEDF exists, then 

A(n — 1) = k'^{m — 1). (3) 

Example 2.2. Let G = +), Ai = {0,1,... , A: — 1} and A 2 = {k, 2k ,... , k^}. This is a 

{k‘^ + 1,2-, k;l)-SEDF. 

Example 2.3. Let G = (^nj +) cin-d Ai = {i} for 0 < i < n — 1. This is a (n, n; 1; 1)-SEDF. 

Theorem 2.2. There does not exist an {n,m,k,l)-SEDF with m > 3 and k > 1. 

Proof. Suppose Ai,...,Am is an (n, m. A:, 1)-SEDF with m > 3 and k > 1. From ([2]), it follows 

that 

U V{Ai,A^) = m{G\m- (4) 

Then, from ([2]) and (jl]), we have 


U V{A,,A^) = {m-2){G\m. (5) 

{ 2 ,ji: 2 < 2 <m, 2 <j<m, 27 ^j'} 


Suppose x,y ^ Ai, X y (note that A: > 1 so we have two distinct elements in ^i). Now, from 


l|5|l, since m > 2, there exists u € Ai, v € Aj such that i,j > 1, i j and u — v = x — y. Then 
u — X = V — y, which contradicts ([2]). □ 

Theorem 2.3. There exists an {n,m,k, 1)-SEDF if and only if m = 2 and re = + 1, or k = 1 

and m = n. 

Proof. From Theorem 12.21 we only need to consider the cases rre = 2 and A: = 1. If rre = 2, then 
from ([3]), we must have re = + 1, and the relevant SEDF exists from Example 12.21 If A: = 1, then 

from ([3|) we must have rre = re, and the relevant SEDF exists from Example 12.31 □ 

Next, we consider generalizations of external difference families and strong external difference 
families in which the subsets Ai,..., Am are allowed to be of possibly different sizes. 
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Definition 2.6 (Generalized external difference family). Let Q be an additive abelian group of order 
n. An {n,m] ki,... ,km', ^)-generalized external difference family (or (n, m;/ci,..., A)- 

GEDF) is a set of m disjoint subsets of Q, say Ai,... ,Am, such that \ Ai\ = ki for 1 < i < m and 
the following multiset equation holds: 

U v{A,A,) = x{g\{ 0 }). 

Clearly, an (n, m, k, A)-EDF is an (n, m; k,... , k; A)-GEDF. 

Example 2.4. Let Q = (Z 13 , +), Ai = {0,1} and A 2 = {2,4, 6 }. This is a (13, 2; 2, 3; 1)-GEDF. 

Example 2.5. Let Q = (Zn, +), Ai = {0}, A 2 = {1}, and As = {3, 5}. This is a (11, 3; 1,1,2; 1)- 
GEDF. 

Remark: A generalized external difference family is also known as a perfect difference system of 
sets. 

Definition 2.7 (Generalized strong external difference family). Let Q be an additive abelian group 
of order n. An (n, m; /ci,..., Ai,..., X^)-generalized strong external difference family 
(or (n, m; fei,..., km] Ai,..., Xm)-GSEDF) is a set of m disjoint subsets of Q, say Ai,..., Am, 
such that \Ai\ = for 1 < i < m and the following multiset equation holds for every i, 1 < i < m: 

IJ v{A,Aff = Kig\{o}). 

It is obvious that an (n, m, k, A)-SEDF is an {n,m] k,..., k] X,... , A)-GSEDF. 

Example 2.6. Let g = (Z„, +), Ai = {0} and A 2 = {1,2,... ,n — 1}. This is a (n, 2; 1,n — 1; 1,1)- 
GSEDF. 

Example 2.7. Let g = (^ 7 ,+), Ai = {1}, A 2 = {2}, A 3 = {4}, and A 4 = {0,3,5,6}. This is a 
{7,4-,l,l,l,4-,l,l,l,2)-GSEDF. 

A {n,m]ki,..., km] Ai,..., Am)-GSEDF is maximal li^ki = n. Here is a nice characterization 
of maximal GSEDF. 

Theorem 2.4. Suppose Ai,... ,Am is a partition of g (where \g\ = n) with \Ai\ = for 1 <i < 
m. Then Ai,..., Am is a (maximal) (n, m; fei,..., km] Ai,..., Xm)-GSEDF if and only if Ai is an 
(n, ki, ki — Xi)-DS in g, for 1 < i < m. 



Proof. Fix a value i, 1 < i < m. It is clear that 




V{Ai,g\Ai) 


IJ v{x,g\A,) 

x£Ai 


U (F>(x,a\{x})\P(x,Ai\{x})) 


xGAi 


U G \ {x}) j \ U \ 

X£Ai J \ X£Ai 


U e\{o)) \v[A) 

x&Ai J 


where all operations are multiset operations. Therefore, 


if and only if 


U v{A,,Aj) = h{g\m 
viAi) = ih-\i){g\{o}). 


□ 


Theorem 2.5. Suppose there exists an {n,m; ki,..., km', Ai,..., Xm)-GSEDF where ki = 1. Then 
Aj = 1 and YllLi ki = n (i.e., the GSEDF is maximal). 

Proof. We have ki{a — ki) = a—1 = \i{n — 1), where a = YllLi ki. Since a < n and Aj > 1, it must 
be the case that a = n and Aj = 1. □ 

Definition 2.8 (Bounded generalized strong external difference family). Let g be an additive 
abelian group of order n. An (n, m; /ci,..., km', Ai,..., Xm)-bounded generalized strong external 
difference family (or (n, m; fci,..., Ai,..., Xm)-BGSEDF) is a set of m disjoint subsets of 
g, say Ai,... ,Am, such that \Ai\ = ki for 1 <i <m and the following multiset equation holds for 
every j, 1 < j < m, and for every g £ g \ {O}.' 

\{x - y : X - y = g,x £ Ai,y £ Aj,i / j}| < Xj. 

Remark: A BGSEDF is equivalent to the notion of differential structure, as defined, e.g., in [5]. 

Definition 2.9 (Partitioned external difference family). Let g be an additive abelian group of 
order n. An ci,..., cf, ki,..., kf, Xi,..., Xi)-partitioned external difference family (or 

{n,m‘,ci,...,cf,ki,...,ki]Xi,...,Xi)-PEDF) is a set of m = Yli^i disjoint subsets of g, say 
Ai,..., Am, such that there are c^ subsets of size kh, for 1 < h < I, and the following multiset 
equation holds for every h, 1 < h < i: 

U IJ v{A,Aff = x,{g\{0}). 
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We note the following: 

• an (n, m; fei,..., km] Ai,..., Am)-GSEDF is an (n, m; 1,..., 1; fei,..., km] Ai,..., Am)-PEDF 

• an (n, m, A;, A)-EDF is an (n, m; m; A:; A)-PEDF 

• an (n, rri] ci,..., cf, ki,..., kf, Xi,..., A£)-PEDF is an (n, m; ki ^^,..., A)-GEDF in which 

£ 

A = J^A,, 

i=l 

where the notation A:*'^* denotes Cj occurrences of ki, for 1 < h < i. 

Here is an example of a PEDF that is not an EDF or GSEDF. 

Example 2.8. Let Q = (Zi 3 ,+), Ai = {0,1,4}, A 2 = {3,5,10}, H 3 = {2,6,7,9}, H 4 = { 8 }, 
H 5 = {11}, Aq = {12}. It can he verified that Ai,... ,Aq is a (13,6; 2,1, 3; 3,4,1; 5,3, 3)-PEDF. To 
see that it is not a GSEDF, we first compute the occurrence of differences from Ai to the union of 
the other Ai’s: 

difference 1 2 3 4 5 6 7 8 9 10 11 12 

frequency 232233332 2 3 2 

Then we compute the occurrence of differences from A 2 to the union of the other Ai’s: 

difference 123456789 10 11 12 

frequency 323322223 3 2 3 

These two lists of occurrences of differences are not uniform, so we do not have a GSEDF. However, 
each difference occurs a total of five times in the two lists. 

Theorem 2.6. Suppose Hi,, Am is a partition ofQ (where \Q\ = n) such that there are Ch subsets 
of size kh for 1 < h < i. Then Hi,..., Am is a (maximal) (n, m; ci,..., q; ki,... ,ki] Xi,..., A^)- 
PEDF if and only if the subsets of cardinally kh form an (n, kh, Chkh — Xh)-DF in Q, for 1 <h < L 

Proof. We omit the proof, which is similar to the proof of Theorem 12.41 □ 

Example 2.9. Let’s look again at the PEDF in Examvle \2.^ Here the two sets of size 3 form a 
(13, 2, 3, 1)-DF; the set of size 4 is a (13,1,4, 1)-DF; and the three sets of size 1 form a (13,3,1,0)- 
DF. 

In Figure dl we indicate the relationship between the various types of difference families we have 
defined. If we designate X , this indicates that any example of “X” automatically satisfies the 
properties of “T”. 

3 Weak AMD Codes 

Our goal is to prove lower bounds on the adversary’s optimal success probability, e. Note that a 
lower bound on e states that there exists an adversary who wins the relevant game with at least 
some specified probability. Then we construct codes that meet these lower bounds, i.e., codes in 
which the adversary cannot succeed with higher probability. Whenever possible, we will prove 
bounds without assuming that the code is uniform or has equiprobable encoding (we do assume 
equiprobable sources, however). 
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Figure 1: Relationships between various types of difference families 

3.1 Bounds for Weak AMD Codes 

Theorem 3.1. In any weak {m,n,e)-AMD code, it holds that 

a{m — 1 ) 


e > 


m{n — 1 ) 


Proof. Suppose the adversary chooses the value A G ^ \ {0} uniformly at random. For any given 
g G d(s) and for a randomly chosen A, the probability that the adversary wins is (a — as)/{n — 1). 
The success probability Crand of this random strategy rand is 


erand = X] = d] ^ 

S geA{s) ^ 

a — a 


a — Os 
n — 1 




a 


n — 
a 


i-E 


n — 1 

Os 

m{n — 1 ) 
a 


(because the sources are equiprobable) 


n — 1 m{n — 1) 
a(m — 1) 
m{n — 1 ) 


□ 


Corollary 3.2. In any k-uniform weak {m,n,e)-AMD code, it holds that 

^ ^ k(m — 1 ) 

“ n — 1 

Proof. Note that a = km in a /c-uniform code and apply Theorem 13.11 □ 

Definition 3.1. We will define a weak AMD code that meets the bound of Theorem \3.1\ for Corollary 
\3.2\. in the case that the code is k-uniform) with equality to he R-optimal. Here, “R” is used to 
indicate that rand is an optimal strategy. 

Corollary 3.3. Theorem 2.2] In any weak {m,n,i)-AMD code, it holds that 

„ m — 1 
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Proof. Note that a>m and apply Theorem 13.11 □ 

Remark: The bound of Corollary 13.31 is met with equality only if the code is deterministic. 

Here is a new bound for weak AMD codes, that arises from a different adversarial strategy. 

Theorem 3.4. In any weak {m,n,i)-AMD code, it holds that 

^ 1 
e > -. 
a 

Proof. We consider the following strategy guess for the adversary: 

1 . Find the encoding g £ A that occurs with the highest probability. Observe that Pr[ 5 ] > 1/a. 

2. Pick a A that will work for the particular encoding g. 

Clearly, the success probability Cguess of the strategy guess is equal to Pr[^] > 1/a. □ 

Definition 3.2. We will define a weak AMD code that meets the bound of Theorem \3.4\ with equality 
to be G-optimal. Here, “G” is used to indicate that guess is an optimal strategy. 

Theorem 3.5. In any weak (m,n,i)-AMD code, it holds that 

^9 m — 1 

e > -. 

m{n — 1) 

Proof. Multiply the bounds proven in Theorems 13.11 and 13.41 □ 

A code that meets the bound of Theorem 13.51 with equality is simultaneously R-optimal and 
G-optimal. 

3.2 Optimal Weak AMD Codes 

In this section, we consider weak AMD codes that are R-optimal and/or G-optimal. Recall that a 
weak AMD code is R-optimal if e = a(m — l)/(m(n — 1)) and it is G-optimal if e = 1/a. 

3.2.1 R-Optimal Weak AMD Codes 

First, we consider R-optimality. Consider the strategy g g + A, where A 7 ^ 0, and let ca denote 
the success probability of this strategy. Clearly, we have 

e = max{eA : A 7 ^ 0}. ( 6 ) 

For any A 7 ^ 0, define 

Good(A) = {g £ Qo ■ g £ A(s) and g + A £ A(s^), where s' A •s}- (7) 

Good (A) denotes the set of encodings g under which a substitution g g P A will result in the 
adversary winning the game. 
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Lemma 3.6. For any A ^ 0, it holds that 


Proof. It is clear that 


eA = 

p'GGood(A) 

ca = Pr[5 G Good(A)] 

= Y1 

^€Good(A) 


( 8 ) 


□ 


Theorem 3.7. A weak AMD code is R-optimal if and only if e a. = a{m — l)/(m(n — 1)) for all 

A / 0. 


Proof. Suppose we have an R-optimal weak AMD code. It is not hard to compute 

At^O At^O g'GGood(A) 

= Y1 X |{A : 5 G Good(A)}| 

geGo 

= ^ Y 1 Pr[s]Pr[£;(s) = 5] X |{A : 5 G Good(A)}| 

sGS g£A{s) 

= Pr[E{s) = g]{a - as) 

sGS gGA{s) 


s^S 



a{m — 1 ) 
m 


Therefore the average of the quantities ca (A / 0) is equal to a{m — l)/(m(n — 1)). In order to 
have i = a(m— l)/{m{n — 1)), it must be the case that ca = a(m— l)/(m(n — 1)) for all A 7 ^ 0. □ 


We next present a method of constructing R-optimal weak AMD codes. 


Theorem 3.8. Suppose there is an {n,m; ki,... ,km', ^ 1 , ■ ■ ■, ^m)-GSEDF. Then there is an (R- 
optimal) weak {m,n,a{m — l)/(m(n — 1)))-AMD code, where a = YA=i 

Proof. Suppose the GSEDF is given by Ai,..., Am- Let a = Observe that 

ki{a - ki) = Xi{n - 1) (9) 


for 1 < i < m. Let S = {si,..., Sm} be a set of m sources. For 1 < i < m, define A(si) = A, and 
suppose the encoding function E{si) is equiprobable. We show that ca = a{m — l)/(m(n — 1)) for 
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all A 7 ^ 0. We have 


CA 


Y1 

5GGood(A) 


^ 1 Ai 

/ — ^ y 

m ki 

2 = 1 


1 ; 

1 V a — ki 

m ^ n — 1 
2=1 


from 


^ //fc 

—7-r (“ “ ^i) 

min — 1) ^ 

a{m — 1) 
m{n — 1) 


□ 


In fact, we can obtain R-optimal weak AMD codes from a weaker type of difference family, 
namely, a PEDF. 

Theorem 3.9. Suppose there is an (n, m‘, ci,..., ct, ki,..., kf, Xi,..., Xi)-PEDF. Then there is an 
(R-optimal) weak {m,n,a{m — l)/(m(n — 1)))-AMD code, where a = Ylh=i^hkh- 

Proof. We omit the proof, which is similar to the proof of Theorem 13.81 □ 

It is interesting to note that the we do not necessarily obtain an R-optimal AMD code if we 
start from an arbitrary generalized external difference family. As an example, suppose we construct 
an AMD code with equiprobable encoding for two sources using the GEDF presented in Example 
El Here it is easy to compute 

1 ^ a{m — 1) 5x1 5 

“ 4 ^ m{n - 1) “ 2 X 12 “ U' 

so this code is not R-optimal 

It is an open problem to characterize R-optimal (weak) AMD codes. The following example 
illustrates that the converse of Theorem 13.91 is not true in general. That, is we can construct 
R-optimal codes that do not come from PEDFs. 

Example 3.1. Let S = |1, 2,3,4} and letQ = Zin. The encoding function E is defined by E(l) = 0, 
E{2) = 5, E{3) Gr {1,9} and E{A) Gr {2, 3}. 

Suppose the adversary chooses A = 5; then the adversary wins if s G {1,2}, which occurs with 
probability 1/2. Suppose the adversary chooses A = 1; then the adversary succeeds if s G {1,3}, 
which occurs with probability 1 / 2 . Suppose the the adversary chooses A = 2 ; then the adversary 
succeeds if s = 1, if s = 3 and E{s) = 1, or if s = 4 and E{s) = 3. The success probability here is 

111111 
— — X — -|- — X — — —. 

4 4 2 4 2 2 

The remaining choices for A can be checked in a similar way. We obtain a code with success 
probability 1 / 2 . Since m = 4, n = 10 and a = 6, we have a{m — l)/(m(n — 1)) = 18/36 = 1 / 2 , so 
the code is R-optimal. However, the sets {0}, {5}, {1, 9}, {2, 8 } do not form a PEDF. 
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Figure 2: Difference families that yield R-optimal weak AMD codes (indicated in boldface type) 


We can give a tight characterization of k-regular R-optimal weak AMD codes, however, as 
follows. 

Theorem 3.10. An (R-optimal) k-regular weak {m,n,k{m — l)/(n — 1))-AMD code is equivalent 
to an {n,m, k, X)-EDF. 

Proof. Suppose Ai,..., Am is an (n, m, k, A)-EDF. Let S = {si,..., Sm} be a set of m sources. 
For 1 < i < m, suppose the encoding function E(si) is equiprobable. The resulting weak AMD 
code is fc-regular. Choose any A € A / 0. The strategy g g + A succeeds with probability 
CA = \/{km) = k{m — l)/(n — 1). (In fact, this follows from Theorem 13.91 1 

Conversely, suppose we have an R-optimal fe-regular weak AMD code. Then it must be the 
case that e/\ = k{m — l)/(n — 1) for all A 7 ^ 0. Using the fact that the code is a A:-regular AMD, 
we have 

kim — 1) ^ |Good(A)| 

Therefore, 

|G„„d(A)| = 

n — 1 

It then follows that {A(s) : s E 5} is an (n, m, k, A)-EDF, where A = k‘^m{m — l)/(n — 1). □ 

In Figure [2] we indicate the types of difference families that yield R-optimal weak AMD codes. 
This summarizes the results proven in this section. 

3.2.2 G-Optimal Weak AMD Codes 

Now we turn to G-optimality. We have the following characterization of G-optimal weak AMD 
codes. 

Theorem 3.11. A (G-optimal) weak {m,n,^')-AMD code is equivalent to an {n,m,k,l)-BEDE, 
where a = km. 

Proof. Suppose Ai,..., Am is an (n, m, k, 1)-BEDF. Let S = {si,..., Sm} be a set of m sources. For 
1 < i < m, define an encoding function E{si) which chooses an element of Aj uniformly at random. 
Choose any A E A / 0. The strategy g g + A succeeds with probability ca < l/{km) = 1/a, 
since there is at most one occurrence of the difference A in the BEDF. Further, if A E 'D{Aj,Ai) 
where i ^ j, then the strategy g g + A succeeds with probability 1/a. 
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Figure 3: Difference families with A = 1 that yield G-optimal weak AMD codes (indicated in 
boldface type) 


Conversely, suppose we have a G-optimal weak AMD code. From the proof of Theorem 13.41 we 
see that all encodings must occur with the same probability, 1/a. Since the sources are equiprobable, 
this happens only if the code is /c-regular with k = a/m. Now we claim that {A(s) : s G 5} is an 
(n, m, k, 1)-BEDF. This is easy to see, because if some difference occurred more than once, it would 
immediately follow that e > 2/a. □ 

Now we characterize /c-regular weak AMD codes that are simultaneously R-optimal and G- 
optimal. 

Theorem 3.12. A k-regular weak AMD code that is simultaneously R-optimal and G-optimal is 
equivalent to an {n,m,k, 1)-EDF. 

Proof. From Theorem 13.51 the code has success probability In order for this to occur, 

the bounds of Corollary 13.21 and 13.41 both must hold with equality. Therefore the AMD code is 
simultaneously an (n, m, k, A)-EDF (from Theorem 13. 101) and an (n, m, k, 1)-BEDF (from Theorem 
13.1111 . Hence, it is an (n, m,/c, 1)-EDF. □ 

In Figure [3] we indicate the types of difference families that yield G-optimal weak AMD codes. 
Note that the relevant difference families are assumed to have A = 1 in this figure. 


4 Strong AMD Codes 


We begin by focussing on the success probability of the adversary when the source is fixed to be s. 
Let is be the success probability of the optimal strategy for the given source s. 

Theorem 4.1. In any strong AMD code, it holds that 


a — Os 
re — 1 


for any source s £ S. 

Proof. As in the proof of Theorem 13.11 we consider a random strategy, i.e., A 7 ^ 0 is chosen 
uniformly at random. Given that the source is s, it is easy to see that the success probability of 
this strategy will be 

a — as 


16 










Definition 4.1. We will define a strong AMD code that meets the bound of Theorem 1^.11 with 
equality for every possible source s to be R-optimal. Again, “R” is used to indicate that choosing 
A 7 ^ 0 uniformly at random is an optimal strategy. 

Corollary 4.2. In any strong {m,n,i)-AMD code, it holds that 

^ a — Os' 


where a^/ = min{as : s G <S}. 

Proof. The quantity {a — Os)/{n — 1) is maximized when Og is minimized. 

If the code is A:-uniform, then the previous bound takes a simpler form. 
Corollary 4.3. In any k-uniform strong [m,n,e)-AMD code, it holds that 

k{m — 1) 


e > 


n — 1 


Proof. Here Og = k for all s and a = km. Apply Corollary 14.21 


□ 


□ 


Theorem 4.4. In any strong AMD code, it holds that ig > l/ug, for any source s & S. 

Proof. Given any source s, the adversary can try to guess the encoded message E{s) that is out¬ 
put. The adversary will maximize his probability of success by choosing g such that Pr [5 | s] is 
maximized. Note that there exists a g such that Pr[g' | s] > l/og. Then the adversary can choose 
A such that g + A £ Qo \ A(s). The success probability of this strategy is clearly at least l/og. □ 

Definition 4.2. We will define a strong AMD code that meets the bound of Theorem \4.4\ with 
equality for every possible source s to be G-optimal. Again, “G” is used to indicate that guessing 
the most likely encoding is an optimal strategy. 

Corollary 4.5. In any strong {m,n,i)-AMD code, it holds that e > l/o^/, where agi = min{os : 
s G <S}. 

Proof. The quantity l/ug is maximized when Og is minimized. □ 


In the case of a fc-regular code, we have the following corollary. 

Corollary 4.6. In any k-regular strong {m,n,i)-AMD code, it holds that e > 1/k. 

We now have an easy proof of the following previously known bound. 

Theorem 4.7. Theorem 2.2] In any k-uniform, strong {m,n,i)-AMD code, it holds that 

^9 m — 1 

" >-T- 

n — 1 
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Proof. From Corollary 14.31 we have 


e > 


k{m — 1 ) 
n — 1 


Furthermore, from Corollary 14.61 we have e > 1/k. Multiplying these two inequalities, we get 


e2> 


m — 1 
n — 1 


□ 


Remark: We will determine in Theorem 14.141 necessary and sufficient conditions for the bound of 
Theorem 14.71 to be met with equality in all nontrivial cases, i.e., when e < 1. 


4.1 Optimal Strong AMD Codes 

4.1.1 R-Optimal Strong AMD Codes 

Suppose the source s is fixed. Consider the strategy g ^ g + /S., where A 7 ^ 0. Let ca,* denote the 
success probability of this strategy. Then it is clear that 

ts = max{eA,s : A 7 ^ 0}. (10) 


For any A 7 ^ 0, define 

Good(A, s) = {g ■. g ^ ^(s) and g' + A G 4.(s'), where s' 7 ^ s}. (11) 

This is the same definition as except that s is now fixed. 

Lemma 4.8. For any A 7 ^ 0, it holds that 


Proof. It is clear that 


eA,s = Pr[F;(s) = c/]. 

^GGood(A,s) 


eA,s = Pr[Fi(s) G Good(A, s)] 
^ Pr[Eis) = g]. 

g£Good{A,s) 


( 12 ) 


□ 


Theorem 4.9. In any strong AMD code, is = {a — as)/{n — l) if and only ifeA,s = (o —as)/(n —1) 
for all A 7 ^ 0. 

Proof. Suppose we have an AMD code where ig = {a — as)/{n — 1). It is not hard to compute 

Pr[F;(s) = g] 

g£Goo6(A,s) 

Pr[E{s) = 5 ] X |{A : 5 - G Good(A, s)}| 

ggA(s) 

^ Pr[F;(s) = 5 ] X (a - as) 

g&A{s) 

a — Oo. 


At^O 
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Therefore the average of the quantities eA,s / 0) is equal to (a — as)/{n — 1). In order to have 
is = {a — as)/{n — 1), it must be the case that €a,s = (o “ o,s)/{n — 1) for all A 7 ^ 0. □ 

Theorem 4.10. Suppose there is an {n,m; ki,... ,km] Xi, ■ ■ ■, )^m)-GSEDF. Then there is an R- 
optimal strong AMD code where a = YllLi hi¬ 
proof. Suppose the GSEDF is given by j4i, ..., Am- Let S = {si,..., Sm} be a set of m sources. For 
1 < i < m, define A(sj) = Ai, so a^. = ki, and suppose the encoding function E{si) is equiprobable. 
We show that eA,si = {a — as^)/(n — 1) ior 1 < i < m and all A 7 ^ 0. We have 

eA,si = 

g£Good{A,Si) 

ki 

a — ki , „ 

= - from ® 

n - 1 

_ a - Osj 
n — 1 


□ 

It is possible to prove a converse to Theorem l4.10l in the case where the AMD code has equiprob¬ 
able encoding. 

Theorem 4.11. Suppose there is an R-optimal strong AMD code with equiprobable eneoding. Then 
the sets A{s) fs € SJ form an {n,m; ki,..., km', Ai,..., \m)-GSEDF. 

Proof. Suppose the sources are denoted S = {si,..., Sm}- Fix a value i, 1 < i < m and let A 7 ^ 0. 
We have 

a — Os- 

^ 

“ n - 1 

3eGood(A,Si) 

|Good(A,Sj)| 

Cic ■ 

Therefore, for a fixed value we have 

\n J/A M ^Si) 

Good(A,Si) =--- 

n — 1 

for all A 7 ^ 0. This says that 


P(A(si),^o\^(si)) = Ai(a\{ 0 }), 


where 
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Figure 4: Difference families that yield R-optimal strong AMD codes (indicated in boldface type) 


Remark: The results we have proven in Theorems 14.101 and 14.111 establish a close connection 
between R-optimal strong AMD codes and GSEDF. In [5], similar results were proven, using the 
language of differential structures, that showed the link between (not necessarily optimal) strong 
AMD codes and BGSEDF. 

4.1.2 G-Optimal Strong AMD Codes 

Now we turn to G-optimality. We have the following characterization of G-optimal strong AMD 
codes. 

Theorem 4.12. A G-optimal strong AMD code is equivalent to an (n, m;/ci,...,/cmi Ij • • • j 1)- 
B GSEDF. 

Proof. Suppose Ai,..., Am is an (n, m; fei,..., km', I, • • • j 1)-BGSEDF. Let S = {si,..., be a 
set of m sources. For 1 < i < m, define an encoding function E{si) which chooses an element of 
Ai uniformly at random. Let 1 < i < m and choose any A £ Q \ {0}. Given that the source is Si, 
the strategy g g + A succeeds with probability at most l/os., since there is at most one g £ Ai 
such that g + A £ Aj and j ^ i. Further, there exists a A / 0 such that this strategy succeeds 
with probability l/as^. 

Conversely, suppose we have a G-optimal strong AMD code. Let s £ S. From the proof of 
Theorem 14.41 it is easy to see that all encodings of s occur with the same probability l/|A(s)|. Now 
we claim that {A(s) : s G 5} is an (n, m; /ci,..., km', 1, • • •, 1)-BGSEDF. Suppose that there existed 
two different values g, g' £ Ai such that g-\-A£Aj^g'-\-A£ Aj/ and j, j' ^ i. It would then follow 
that Eg > 2/|A(s)|, which is a contradiction. □ 

Now we show that /c-regular strong AMD codes with m > 3 cannot be simultaneously R-optimal 
and G-optimal. 

Theorem 4.13. There does not exist a strong AMD code with m > 3 and e < 1 that is simultane¬ 
ously R-optimal and G-optimal. 

Proof. Since the code is G-optimal, it follows from Theorem 14.121 and its proof that the code has 
equiprobable encoding and is derived from (n, m; /ci,..., km', Ij • • •, 1)-BGSEDF. Now, since the code 
is R-optimal and it has equiprobable encoding. Theorem 14.111 shows that the code is derived from 
(n, m; /ci,..., km', Ai,..., Am)-GSEDF. Thus we have an (n, m; fci,..., km', 1, ■ ■ ■ j 1)-BGSEDF that 
is also an (n, m; fci,..., km', Ai,..., Am)-GSEDF, so it must in fact be an (n, m; /ci,..., km', 1, • • • > 1)- 
GSEDF. This implies that ki{a — ki) = n — 1 for all i. Given a and n, the equation x{a — x) = n — 1 


20 










SEDF 


DS 




\ 

^ \ 

GSEDF 


EDF 

DF 

^ \ 



\ 

BGSEDF 

PEDF 

I 

GEDF 


BEDF 


Figure 5: Difference families with A = 1 that yield G-optimal strong AMD codes (indicated in 
boldface type) 

has at most two distinct roots, and these roots sum to o. Suppose that ki / kj for some i,j. Then 
ki + kj = a, which implies that m = 2, a contradiction. Hence the code is fc-uniform and the 
GSEDF is in fact an (n, m; fc; 1)-SEDF. Now Theorem 12.31 implies that k = 1 and n = m. This 
code has e = 1 , so we are done. □ 

Theorem 4.14. There exists a k-uniform, strong {m,n,e)-AMD code with < 1 */ 

only if m = 2 and n = + 1 . 

Proof. Here we are considering /c-uniform song AMD codes that are simultaneously R-optimal and 
G-optimal. From the proof of Theorem 14.131 we see that m = 2 and k{a — k) = n — 1. Since a = 2k, 
we have n = k"^ + 1. Conversely, if m = 2 and n = k'^ + 1, then Example 12.21 shows the existence of 
a -|- 1, 2; k] 1)-SEDF. This yields a strong AMD code with e = 1/fc, as desired. □ 

Figure [5] shows the types of difference families that yield G-optimal strong AMD codes. The 
relevant difference families are assumed to have A = 1 in this figure. 

5 Conclusion 

We have studied weak and strong AMD codes that provide optimal protection against two specific 
adversarial substitution strategies. These codes are termed “R-optimal” and “G-optimal”. We 
have considered various types of generalized difference families and determined when they yield 
R-optimal and/or G-optimal AMD codes. As well, we have proven in certain situations that R- 
optimal and/or G-optimal AMD codes imply the existence of the relevant difference families, thus 
providing a combinatorial characterization of the AMD codes under consideration. 

It is an interesting open problem to construct additional examples of these generalized difference 
families. In particular, we ask if there are any examples of strong external difference families with 
k > 1 and m > 2. We are unaware of any such examples at the present time. 
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